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(54) Encryption strengtfi evaluation support apparatus and recording medium recording 
encryption strength evaluation support program 



(57) An enayption strength evaluation support 
apparatus includes a statistical data sampling program 
executing means for statistically obtaining correlations 
between individual bits of input and output data of an 
encryption device to be evaluated, a statistical result 
storage means for storing the bit correlations obtained 
by the statistical data sampling program executing 
means, and a statistical result edit/butput means Ibr 
editing and outputting the bit correlations stored in the 
statistical result storage n^eans in the fonm of a table or 
a two- or three-dimensional graph. A mechanically 
readable recording medium recorcfing an encryption 
strength evaluation support program for the above 
apparatus Is also disclosed. 
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Description 

BACKGROUND OF THE INVENTION 

FIELD OF THE INVENTION 

[0001 ] Tlie present invention relates to an encryption 
strength evaluation support apparatus suited to evaluat- 
ing the encryption strength of encryption device by 
using a statistical method and a mechanically readat)le 
recording medium recorcfing an encryption strength 
evaluation support program. 

DESCRIPTION OF THE PRIOR ART 

[0002] Conventional techniques of evaluating the 
strength of encryption algorithm are roughly classified 
Into those base6 on a specific decoding method and 
those based on statistical methods. 
[0003] Examples of the encryption strength evaluation 
based on a specific decoding method are "Method and 
Apparatus for Evaluating Strength of Encryption Algo- 
rithm" descrit>ed in Japanese Unexamined Patent Pub- 
lication No. 8-190344 and ^Enayption Performance 
Evaluation Apparatus'* described in Japanese Unexam- 
ined Patent Publication Na 9-160489 simflar to the 
former patent Either technique evaluates the strength 
of encryption algorithm in terms of strength against lin- 
ear decoding for block efua'yption. That is, the former 
technique finds a linear approxiniate expression having 
a maximum deviation ratio obtainable from an encryp- 
tion algorithm whose strength Is to be evaluated. On the 
basis of the result of this search, the strength of encryp- 
tion algorithm against linear decoding is emluated. Ttie 
latter technique attempts to improve the performance of 
evaluation by inaeasing linear correlation detection effi- 
ciency in linear decoding. Details of ttie linear decoding 
are described In Mitsuru Matsui ("DES Encryption Lin- 
ear Decoding method (1)", SCIS98-3C (Jan, 1993). 
[0004] On the other harxi. the conventional encryption 
strength evaluation based on statistical methocte is 
described in. e.g.. "Encryption and Information Secu- 
rity* (March 29, 1990. Shokodo), ^.5 Ciphertaxt Ran- 
domness Evaluation Indices" (ppi 49 - 56). That Is, tNs 
technique evaluates the encryption strengtti by using 
numerical values such as the maximum value, mean 
value, and variance of the congelation between input and 
output data. This reference also describes disatmina- 
.tion between the strengths of a plurality of encryption 
algoritiims by comparing these numerical values. 
[0005] TTie encryption strength evaluatton based on a 
specific decoding metiiod deperxfe upon the specific 
decoding nrrethod called linear decoding. Therefore, this 
technique cannot evaluate in principle the strength of 
encryption algorithm to which this decoding mettKXi is 
not applicable, and hence lacks versatility. In contrast 
the method of evaluating encryption strength by using a 
statistical method is highly versatile because the 
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method does not depend upon any specific decoding 
mettiod. 

[0006] Unfortunately, the conventional encryption 
strength evaluation technique based on a statistical 

5 method evaluates encryption strengtti by using numeri- 
cal values such as ttie maximum value, mean value, 
and variance of the correlation between input and out- 
put data Since these values are representative values 
of a large number of sample values, this technique can- 

10 not finely analyze the behavior of encryption conver- 
sion. In some instances, evaluation enrors may take 
place. 

SUMMARY OF THE INVENTION 

15 

[0007] The present invention has been made in con- 
sideration of ttie above situation and has as its object to 
provide an encryption strengtti evaluation support appa- 
ratus capable of evaluating erKryption strength inde- 

20 pendent of any spedfk: decoding mettiod and finely 
analyzing ttie behavior of encryption conversion, and a 
mechanically readat>le recording medium recording an 
encryption strengtti evaluation support program. 
[0008] It is anottier object of ttie present invention to 

2S provide an encryption strength evaluation support appa- 
ratus capable of easily analyzing the behavior of 
encryption conversion, and a mechanically readable 
recording medium recording an encryption strengtti 
B/aluation support program. 

30 [0009] To achieve the above objects, according to ttie 
first aspect of the present invention, ttiere is provided an 
encryption strength evaluation support apparatus com- 
prising statistical data sampling program executing 
means for statistically obtaining correlations between 

35 Individual bits of input and output data of an encryption 
device to be evaluated, statistical result storage means 
for storing the bit correlations obtained by the statistical 
data sampling program executing means^ and statistical 
result edit/butput means for editing and outputting ttie 

40 bit correlations stored in the statistical result storage 
means in the form of a table or a two- or three-dimen- 
sional graph. 

[0010] In tiiis encryption strength evaluation support 
apparatus, the statistical data sampling program execut- 

45 ing means statistically obtains correlations between 
individual bits of input and output data of an encryption 
device to be evaluated and stores the bit correlations in 
ttie statistical result storage means. The statistical result 
edit/output means edits and outputs the bit conelations 

so stored In the statistical result storage means in ttie form 
of a tat3le of a two- or thre&dimensional graph. Accord- 
ingly, it is possible to evaluate encryption strength inde- 
pendentty of any specific decoding method arxi finely 
and easily analyze the t)ehavior of encryption conver- 

ss sion. 

[0011] According to the present invention, tiiere is pro- 
vkled an encryption strengtti evaluation support appara- 
tus further comprising, in addition to the arrangement of 
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the first aspect, evaluation object program forming 
means for forming an encryption program to be evalu- 
ated, wherein the statistical data sampling program exe- 
cuting means statistically obtains conrelations between 
individual bits of input an6 output data of the evaluation 5 
object program formed by the evaluation object program 
forming means. This allows a single apparatus to design 
and evaluate an encryption algorithm and therelsy 
improves the efficiency of development. 
[001 2] Acoorcfing to the present invention, there is pro- 10 
vkJed an encryption strength evaluation support appara- 
tus further comprising statistical program library means 
for holding, for each predetermined evaluation item, a 
statistical program for calculating data necessary to 
evaluate the evaluation item, and evaluation object data is 
group generating means having evaluation object pro- 
gram forming means for fonntng an encryption program 
to be evaluated, evaluation condition setting means for 
setting evaluation conditions, and interface function set- 
ting means for s^ng ari Interface between the evalua- so 
tion ot)ject program formed by the evaluation ot)ject 
program forming means arxJ the statistical programs, 
the evaluation object data group generating means 
holding an evaluation object data group Including ttie 
formed evaluation object program and the set evalua- 2s 
tion conditions and interface, wherein the statistical data 
sampling program executing means comprises statisti- 
cal data sampling program generating/activating 
(restarting) means for generating a statistical data sam- 
pling program for statistically ot>taining correlations so 
between individual bits of input and output data of the 
evaluation object program from the evaluation object 
data group and the statistical programs in the statistical 
program Ibrary means. This allows a single apparatus 
to design an encryption algorittim and evaluate the ss 
algorithm by using the statistical programs previously 
held in tiie statistical program library means, thereby 
improving the efficiency of development 
[001 3] According to the present invention, the statisti- 
cal program I3»rary mearrs comprises a basic function 40 
library of tsastc functions such as addrti(^, subtraction, 
and logical operations, and statistical program library 
generating means for generating a statistical program to 
be added to a statistical program library by using the 
basic functions of the basic function library. This allows 45 
the user to freely form any statistical program and per- 
form evaluation by using the program. 
[0014] According to the present invention, the statisti- 
cal data sampli ng program executing nieans comprises 
means for sequentially collecting statistical data for a 5d 
plurality of evaluation items. Consequentiy. a plurality of 
evaluation items can be simultaneously evaluated. 
[001 5] According to the present invention, tiie statisti- 
cal data sampling program executing means has a func- 
tion of interrupting processing for an evaluation item ss 
currentfy being executed and processing the next evalu- 
ation item in aooordance with an instruction from a user, 
and a function of restarting processing for the evalua- 



tion item Interrupted in accordance with an instruction 
from the user. 

[0016] The encryption strength evaluation support 
apparatus of the present invention achieves the follow- 
ing effects. 

[0017] Encryption strengtii can be evaluated inde- 
pendentiy of any specific decoding method because 
statistical evaluation is performed on the t>asis of the 
conelation between input and output data of an enayp- 
tioh device. Therefore, even when the encryption algo- 
rithm is unknown, evaluation is possible if input and 
output data sequences of an encryption device are 
obtainable. To evaluate strength by a Known plaintext 
amount necessary to conventional evaluation, e g., lin- 
ear decoding, a linear approximate expression of an 
encryption algorithm must be obtained beforehand. 
However, if the encryption algorithm is unknown, evalu- 
ation is impossible. Fbr example, tiie present invention 
can evacuate the strength of encryption device having 
tamper resistance, but cannot use an evaluation 
method that depends upon linear decoding. 
[0018] The behavior of encryption conversion can t>e 
finely detected. This is because statistical data indicat- 
ing the con-elations between individual t)its of input and 
output data of an encryption device to be evaluatiad is 
edited and output in the form of a table or the like, so 
details of the individual bit correlations can be known. 
[0019] The behavior of encryption conversion can t>e 
easily detected. The reason for this is that statistical 
data indicating the congelations between individual hits 
of input and output data of an encryption dence to be 
evaluated is edited and output in the form of a two- or 
tiiree^iimensional graph, so the operator can intuitively 
recognize the data. 

[0020] The encryption strengths of a plurality of 
encryption devices can be easily compared. This rea- 
son Is that statistical data indicating the correlations 
between Individual bits of input and output data of a plu- 
rality of encryption devices are edited and compared In 
the form of the same XabUe or graph, so tiie operator can 
compare details of the behaviors of these encryption 
devices. 

B)021] An encryption devk^e can be effidentiy 
designed for reasons explained below. That is, In the 
process of designing an encryption algoritiim. the 
behaviors of the encryption algorithm before and after 
correction can be easily analyzed, and relative strength 
comparison is easy to perform. Additionally, the evalua- 
tion object program fomilng means can perfomn proc- 
esses from confection to evaluation of a program as a 
series of operations. 

[0022] The above and many other objects, features 
and advantages of the present invention will become 
manifest to those skilled in the art upon making refer- 
ence to the follGwing detailed description and accompa- 
nying drawings in which preferred embodimerrts 
incorporating the principles of tiie present invention are 
shown by way of illustrative examples. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
[0023] 

Fig. 1 1s a block diagram showing the whole config- s 
uration of one embodiment of the present invention; 
Fig. 2 is a block diagram showing the arrangement 
of an evaluation object data group generating 
means used in the enribodiment of the present 
Invention; io 
Fig. 3 is a block diagram showing the an'angement 
of a statistical program library means used in the 
embodiment of the present Invention; 
Rg. 4 is a block diagram showing the anrangement 
of a statistical data sampling program executing is 
means used in the embodiment of the present 
invention; 

Rg. 5 is a block diagram showing the arrangement 
of a statistical result edit/output means used in the 
embodiment of the present invention; 20 
Rg. 6 is a flow chart showing the operation of asta- 
tistical evaluation system control means used in the 
embodimefTt of the present invention; 
Rg. 7 is aflow chart showing the operation of a sta- 
tisttoal data sanpling program operatk>n monitoring ss 
means used in the embodiment of the present 
invention; 

Rg. 8 is a flow chart showing the operation of a sta- 
tistical data sampling program generating/activating 
(restarting) means used In the embodiment of the so 
present invention; 

Rg. 9 Is a flow chart showing the operation of a sta- 
tistical data sampling program interrupting/ending 
means used in the embodiment of the present 
invention; 35 
Rg. 10 is a flow chart showing the operation of a 
statistical data sampling program used in the 
embodiment of the present invention; 
Rg. 11 is a view shewing an evaluatkm object pro- 
gram; 40 
Rg. 1 2 is a view showing evaluation conditions; 
Rg. 13 is a view showing settings of interface func- 
tions between an evaluation object program and 
statistical programs; 

Rg. 14 is a view showing the status of execution of 45 
the statistical data sanpling program displayed on 
a display devk^e; 

Rg. 15 is a view showing a table cfispiayed when 

statistical data is edited and output; 

Rg. 16 is a view showing a "draw graph" diak)gua so 

box used to designate the type of graph; 

Rgs. 17A to 1 7E are views showing differerrt types 

of graphs displayed when statistical data is edited 

and output; and 

Rg. 18 is a bkx;k diagram showing the whole con- ss 
figuration of another embodiment of the present 
invention. 



DETAILED DESCRIPTION OF PREFERRED EMBOD- 
IMENTS 

[0024] Several preferred embodiments of the present 
invention will be desaibed in detail below with reference 
to the accompanying drawings. 
[0025] Refening to Rg. 1 . an encryption strengtii eval- 
uation support apparatus according to one embodiment 
of the present invention includes an evaluation object 
ciata group generating means 101. a statistical program 
library means 102, a statistical evaluation system con- 
trol means 1 03, a statistical data sampling program exe- 
cuting means 104, a statistical result edit/output means 
105, and a statistical result storage means 106. 
[0026] The statistical program lit>rary means 102 has 
a statistical program library which is a library of statisti- 
cal programs each for calculating data necessary to 
evaluate a corresponding predetermined evaluation 
item. TTiis statistical program library means 102 also 
has a support function of allowing the evaluation opera- 
tor to form arbitrary statistical programs. Examples of 
the statistical evaluation items are bit balance, output bit 
conrelation. input bit-output bit con'elation. and ava- 
lanche (each item will be desaibed in detail later). 
[0027] The evaluation object data group generating 
means 101 has an evaluation object data group contain- 
ing an evaluation object program whose encryption 
strength is to fc>e evaluated, the evaluation conditions, 
and an interface between the evaluation object program 
and ttie statistical programs. The evaluation object data 
groip generating means 101 also has a support func- 
tion of altowing tiie evaluation operator to fbrnn arbitrary 
encryption algorithms to be evaluated and evaluation 
conditions. 

[0028] The statistical data sampling program execut- 
ing means 1 04 receives an evaluation object data group 
firom the evaluation obfect data group generating means 
101 and also receives statisticeU pro-ams for calculat- 
ing data necessary to evaluate tiie evaluation items of 
the evaluation ot)ject data group from a statistical pro- 
gram library (303 in Rg. 3) of the statistical program 
library means 102. The statistical data sampling pro- 
gram executing means 104 has a function of generat- 
ing, from these input data group and statistical 
programs, a statistical data sampling program (406 in 
Fig. 4) for statistically calculating the con^elation 
t>etween each bit of input data and each bit of output 
data of an enayption algoritiim to be evaluated, and 
executing the generated program. 
[0029] The statistical result storage means 106 stores 
the statistical results of tiie correlations between Individ- 
ual bits of the enayption algorithm input and output 
data sanpled by the statistical data sampling program 
executing means 104. 

[0030] The statistical result edit/output means 105 
edits and outputs the bit congelations stored in the statis- 
tical result storage means 106 in the form of a table or a 
two- or three-dimensional graph. 
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[0031 ] The statistical evaluation system corrtrof means 
103 receives various instructions from the evaluation 
operator and controls the statistical data sampling pro- 
gram executing means 104 and the statistical result 
edit/output means 105 in accordance wHh the contents s 
of these instructions. 

[0032] In the encryption .strength evaluation support 
apparatus of this errtediment having the above config- 
uration, the evaluation operator prepares a statistical 
program library in the statistical program IS)rary means io 
1 02 and also prepares an evaluation ot)ject data group, 
which, describes a program to be evaluated, evaluation 
conditions such as items to be evaluated, and an inter- 
face between the evaluation object program and neces- 
sary statistical programs, in the evaluation object data is 
group generating means 101. After that, the operator 
instructs the apparatus to sample statistical data. In 
accordance with the instruction from the statistical eval- 
uation system contat>l means 103, ttie statistical data 
sampling program executing means 104 generates and 20 
executes a statistical data sampling program on tiie 
basis of the evaluation object data group and statistical 
program library. Consequentiy. the correlations between 
individual bits of input and output data of an encryption 
algorittim to be evaluated are statistically obtained and 2s 
stored in the statistical result storage means 106. TTie 
operator then instructs the apparatus to edit and output 
the statistical results. In accordance with ttie instruction 
from the statistical evaluation system control means 
103. the statistical result edit/output means 105 edits so 
and outputs the statistical results stored in the statistical 
result storage means 1 06 in the form of a table or a two- 
or three-dimensional graph. This allows the operator to 
finely arxJ easily recognize the behavior of encryption 
conversion of the encryption algorithm to be evaluated, ss 
[0033] The anwgement and operation of each com- 
ponent of the encryption strength evaluation support 
apparatus of this embodiment will be described in detail 
below. 

[0034] Fig. 2 is a block diagram showing the arrange- 40 
ment of the evaluation object data group generating 
means 101. F^. 3 is a block diagram showing tiie 
anangement of the statistical program library means 
102. 

[0035] Refening first to Fig. 3, this statistical program 45 
library means 102 comprises a t)asic function library 
302. a statistical program Ibrary generating means 301 , 
and a statistical program library 303. The basic function 
library 302 is a library of bask: functions, i.e.. basic cal- 
culation functions such as addition, subtraction, logical so 
operations, and mean calculations. The statistical pro- 
gram library generating means 301 provides the evalu- 
ation operator witti a statistical program formation 
environment by using ttie basic functions prepared in 
the basic function library 302. The statistical program ss 
library 303 stores statistical programs generated by ttie 
statistical program Ibrary generating means 301 . 
[0036] A statistical program generates, as evaluation 



data, input plaintext and a k^ to an encryption algo- 
rittim to be evaluated, calculates output ciphertext 
obtained when the evaluation data is input to ttie 
encryption algorittim. and also calculates statistical data 
from the evaluation data. A statistical program is pre- 
pared for each evaluation item. The contents of some 
representative evaluation items and ttie functions of sta- 
tistical programs necessary for these items will be 
described betow. Assume ttiat the evaluatk)n object 
algorittim is F, ttie plaintext is M. ttie 1^ is K, ttie output 
of the evaluation object algorittim is F (M.l^, the Input 
bit wkitti is n, and the output bit widtti is m. 

OAi^anche evaluation: 

[0037] Avalanche evaluation evaluates ttie effect a 
one-bit change in input data has on an output bit by fol- 
kMring. e.g., ttie procedure below. 

(1 ) Generate M by random numbers. 

(2) Calculate F(M.K). 

(3) Invert the ith t>it of M by one bit to form data . 

(4) Calculate F(Mi,K). 

(5) If ttie jtti bit of F(M.K) xor F(Mi,K) is 0 or 1 , add - 
1 or 1. respectively, to an element A^ of a two- 
dimensional matrix A of n rows x m columns (xor; 
exclusive-OR). 

(6) Repeat (1) to (5) for large numbers of Ms and 
Ks. Consequentiy. each element of A stores [count 
of inversion - count of non-inversion] of a specific 
output bit when a specific input bit is inverted. This 
is avalanche data. 

[0038] Of tiie above procedure, an avalanche evalua- 
tion statistical program performs the processes of gen- 
erating large numbers of Ms and Ks by random 
numbers and updating A on ttie basis of ttie result of 
F(M,K) xor F(Mf,K). An evaluation object program per- 
fomris ttie process of calculating F(M,K) and F(Mj,lQ. 
Ntote that passing on of evaluation data generated tjy 
the statistical program to the evaluation object program 
and passing on of data generated by the evaluation 
object program to tiie statistk^al program are performed 
in accordance witti an interface between ttie evaluation 
object program and ttie statistical program in the evalu- 
ation object data group. This applies to each of ttie fol- 
lowing evaluatkm items. 

OInput bit-output bit conrelation evaluation 

[0039] Input bit-output bit correlation evaluation evalu- 
ates the correlation between each bit of input data arxl 
each bit of output data by following, ag., the procedure 
below. 

(1) Generate M by random numbers. 

(2) Calculate F(M.K). 

(3) Exdusive-OR each bit i of M and each bit j of 
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F(M.K). If the operation resuh is 0 orl , add -1 or 1. 
respectively, to an element Ajj of a two^mensional 
matrix A of n rows x m columns. 
(4) Repeat (1) to (3) for large numbers of Ms and 
K8. Consequently, each element of A stores [count 
of mismatch - count of match] between a specific 
input bit and a specific output bit This is input bit- 
output bit correlation data. 

[0040] Of the above procedure, an input bit-output bit 
correlation evaluation statistical program performs the 
processes of generating large numbers of Ms and Ks by 
random numbers and updating A by exdusive-ORing 
each bit of M and each bit of F(M.K). An evaluation 
object program performs the process of calculating 
F(M,K). 

OOutput bit correlation evaluation 

(0041 ] Output bit oonrelation evaluation evaluates the 
correlation between individual bits of output data by fol- 
lowing. e.g.. the procedure below. 

(1) Generate M by random numbers. 

(2) Calculate F(M,K). 

(3) Exclusive-OR each bit i of F(M.K) and another 
bit j of F(M, IQ. If the operation result is 0 or 1 , add - 
1 or 1, respectively, to an element A|j of a two- 
dimensionaJ matrix A of n rows x m columns. 

(4) Repeat (1) to (3) for targe numbers of Ms and 
Ks. Consequently, each element of A stores [count 
of mismatch - count of match] between two specific 
output bits. This Is output bit correlation data. 

[0042] Of the atx3ve procedure, an output bit correla- 
tion evaluation statistical program performs the proc- 
esses of generating large numbers of Ms and Ks by 
random numbers and updating A by exdusive-GRing 
each bit I of F(M.IQ and another bit j of F(M,fq. An eval- 
uation object program perfomis the process of calculat- 
ing F(M,K). 

O Bit balance evaluation 

[0043] Bit balance evaluation evaluates the frequen- 
cies of occurrence of 1 and 0 for each bit of output data 
by following, e.g., the procediffe below. 

(1) Generate M by random numbers. 

(2) Calculate F(M.K). 

(3) If each bit i of F(M.K) is 0 orl. add -1 orl. 
respectively, to an element Bi of a one-dlmenstonal 
matrix B of m rows. 

(4) Repeat (1) to (3) for large numbers of Ms and 
Ks. Consequently, each element of B stores [count 
of appearance of 1 -oountof appearance of 0] of a 
specific output bit. This is bit balance data. 



[0044] Of the above procedure, a bit balance evalua- 
tion statistical program performs the processes of gen- 
erating large numbers of Ms and Ks by random 
nurr^rs and updating B in accordance with the value of 

5 each bit of F(M,K). An evaluation object program per- 
fomis the process of calculating F(M,K). 
[0045] The statistical program library generating 
means 301 for supporting the formation of the various 
statistical programs described above and the basic 

10 function library 302 can be realized by, e.g.. Microsoft 
Visual Oh- 4.2. If no appropriate statistical program 
exists in the statistical program library 303. the evalua- 
tion operator can form a desired statistical program 
under the environment provided by the statistical pro- 

15 gram library generating means 301 by using the basic 
calculation functions such as addition, subtraction, logi- 
cal operations, and mean calculations in the basic func- 
tion library 302, and add tiie fbnmed procpram to the 
statistical program library 303. 

20 [0046] Refenring back to Fig. 2. the evaluation object 
data group generating means 101 conprises an evalu- 
ation object program forming means 201, an interface 
function setting means 202, an evaluation corxfition set- 
ting means 203, and an evaluation object data group 

ss 204. 

[0047] The ^uation ot>ject program forming means 
201 provides the evaluation operator with an environ- 
ment for fomiing an evaluation object program. 
[0048] The evaluation condition setting means 203 
30 provides the evaluation operator vknth an environment 
for sMng items to be evaluated for an evaluation object 
program and the evaluation conditions such as a key 
and data widths. 

[0049] The Interface function setting means 202 pro- 

35 vides the evaluation operator with an environment for 
setting an interface between an evaluation object' pro- 
gram and statistical programs. As described earlier In 
the explariation of mluation items, an evaluation object 
program is evaluated by using statistical programs, but 

40 the evaluation object program and the statistical pro- 
grams are formed separately. Therefore, an interface for 
eoGchanging data between the two kinds of programs 
must be prepared beforehand. The interfaoB function 
setting means 202 altows tiie evaluation operator to 

45 form such an Interface. 

[OOSO] The evaluation object program forniing means 
201, the interface function setting means 202, and the 
evaluation condition setting means 203 described 
above can be realized by, e.g., Miaosoft Visual 0+4- 4.2. 

so [0051] As described atxjve, in the evaluation object 
data group generating means 101 shown in Rg. 2, the 
encryption sta-ength evaluation support apparatus itself 
is given the evaluation object program forming means 
201 . Consequentiy, it is possible to efficiently perfbmi a 

55 series of operations of design evaluation correction 
reevaluation of an encryption algorithm. Additionally, the 
apparatus has the interface function setting means 202 
and ttie evaluation condition setting means 203. This 
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allows evaluation of arbitFary items of a formed evalua- 
tion object program. 

[0052] Fig. 4 is a block diagram shewing the anrange- 
ment of the statistical data sanpling program executing 
means 104. Rg. 5 is a block diagram showing the s 
an^angement of the statistical result edit/output means 
105. Fig. 6 is a flow chart showing the operation of the 
statistical evaluation system control means 103. Figs. 7 
to 10 are flow charts showing the operation of each 
means in the statistical data sampling program execut- 
ing means 104. The rest of the components will be 
desaibed bekiw with reference to these drawings. 
[0053] Refen^ing first to Fig. 6, the statistical evaluation 
system control means 103 starts operating (step 601) 
and monitors inputs from an operator (step 602). An 
input signal detected in this operator input monitoring 
can take any fonn provided that the signal can desig- 
nate the following control. For example, the signal Ibrm 
can be key input by an operator, input from a separately 
prepared operation panel, or infomnation of a control 
signal from a certain control program. 
[0054] If input from the operator is detected in step 
S602, the stat^tical evaluation system control nr^eans 
103 checks the contents of control indicated by ttie input 
instruction (stejE^ 603. 605. and 607). The contents of 
input control instruction from an operator are roughly 
classified into an instruction concerning statistical data 
sampling, an instruction concerning edit/oulput of statis- 
tical results, and an instruction directing erxJ of the sta- 
tistical evaluation system control means 103 itself. The 
input instruction concerning statistical data sampling 
from an operator is one of an instruction directing start 
(restart) of sampling and an instruction directing inter- 
ruption of sampling. 

[0055] If ttie control instruction is about statistical data 
sampling (YES in step 603). tiie statistical evaluation 
system control means 103 issues control data to tiie 
statistical data sampling program executing means 104 
(step 604). and the fkw returns to ttie operator input 
monitoring in step 602. If tiie Input instruction concern- 4o 
ing statistical data sampling from the operator indicates 
sampling start (restart) or sampling interruption, ttie sta- 
tistical evaluation system control means 103 issues 
control data indicating data sampling start or control 
data indicating data sampling end. respectively, to tiie 45 
statistical data sampling program executing means 104. 
[0056] If ttie control insbuction is about edit/output of 
statistical results (YES in step 605). ttte statistical eval- 
uation system control means 103 issues control data to 
ttie statistical result edrt/butput means 105 (step 606). so 
and tiie ftow returns to ttie operator input monitoring in 
step 602. 

[0057] If the control instruction indicates end of the 
statistical evaluation system control means 103 itself 
(YES in step 607). ttie statistical evaluation system con- ss 
trd means 103 performs necessary end processes, 
e.g., issues oontax>l data indicating program operation 
erd to tiie statistical data sampling program executing 



means 104. and ends itself (step 608). 
[0058] Referring to Fig. 4, the statistical data sampling 
program executing means 104 comprises a statistical 
data sampling program operation monitoring means 
403, a statistical data sampling program interrupt- 
ing/ending means 404. a statistical data sampling pro- 
gram generating/activating (restarting) means 405. and 
a statistical data sampling program 406. The statistical 
data' sampling program generating^activating (restart- 
ing) means 405 generates and activates (restarts) ttie 
statistical data sampling program 406 under the control 
of the statistical data sampling program operation mon- 
itoring means 403. The statistical data sampling pro- 
gram interripting/ending means 404 intenupts or ends 
tiie statistical data sanpling program 406 under tiie 
control of the statistical data sampling program opera- 
tion monitoring means 403. The statistical data sam- 
pling program operation nnonitoring means 403 controls 
ttie statistical data sampling program generating/acti- 
vating (restarting) means 405 and the statistical data 
sampling program interrupting/ending means 404 and 
tiiereby controls the execution of the statistical data 
sampling program 406, under ttie control of the statisti- 
cal evaluation system control means 103 and In accord- 
ance with end information from the statistical data 
sampling program 406. 

[0059] Referring to Fig. 7, the statistical data sampling 
program operation monitoring means 403 starts operat- 
ing (step 701) and executes operations in steps 702 to 
708. Rrst. the statistical data sampling program opera- 
tion monitoring means 403 waits for tiie reception of 
control data from ttie statistical evaluation system con- 
trol means 103 (step 702). If control data is detected, 
the statistical data sanpling program operation monitor- 
ing means 403 checks ttie contents of control indteated 
by the control data (steps 703. 705. and 707). The con- 
trol data trarnmrtted from the statistical evaluation sys- 
tem control means 103 is one of control data indicating 
data sarrpling start, control data nrKHcating data sam- 
pling end, and control data indicating ttie end of the pro- 
gram operation. 

[0060] H ttie control data from ttie statistical evaluation 
system control means 103 indicates data sampling start 
(YES in step 703). ttie statistical data sampling program 
operation monitoring means 403 issues control data to 
the statistical data sampling program generating/acti- 
vating (restarting) means 405 (step 704). and ttie fkw 
returns to step 702 to wait for the reception of control 
data from the statical evaluation system control 
means 103. If ttie statistical data sampling program 406 
is not generated in step 704, ttie statistical data sam- 
pling program operation monitoring means 403 issues 
control data instructing the generation of a statistical 
data sampiling program. If tiie statistical data sampling 
program 406 is already generated in step 704, the sta- 
tistical data sarrpling program operation monitoring 
means 403 issues control data instructing the activation 
of tiie statistical data sampling program. 
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[0061 ] If the control data from the statistical eymluation 
system control means 103 indicates data sampling end 
(YES in step 705). the statistical data sampling program 
operation monitoring means 403 issues control data 
instructing the intenuption of the statistical data sam- 
pling program 406 to the statistical data sampling pro- 
gram intentpting/ending means 404 (step 706), and the 
flow returns to step 702 to wait for the reception of con- 
trol data from the statistical evaluation system control 
means 103. 

[0062] If the control data from the statistical evaluation 
system control means 103 indicates the end of the pro- 
gram operation (YES in step 707), the statistical data 
sampling program operation monitoring means 403 per- 
forms end processes, e.g.. issues control data instruct- 
ing the end of the program operation to the statistical 
data sampling program generating/activating (restart- 
ing) means 405 and the statistical data sampling pro- 
gram interrupting/ending means 404. and ends itself 
after receiving end information from the statistical data 
sampling program 406 (step 708). 
[0063] Refening to Rg. 8. the statistical data sampling 
program generating/activating (restarting) means 405 
starts operating (step 801) and executes operations in 
steps 802 to 808. First, the statistical data sampfing pro- 
gram generating/activating (restarting) means 405 waits 
for the reception of control data from the statistical data 
sampling program operation monitoring means 403 
(step 802). If the corrtrol data is detected, the statistical 
data sampling program generating/activating (restart- 
ing) means 405 checle the contents of control indicated 
by the control data (steps 803, 805. and 807). The con- 
trol data transmitted from the statistical data sampling 
program operation monitoring means 403 is one of con- 
trol data Instructing the generation of the statistical data 
sampling program 406. control data instructing the acti- 
vation (restart of tiie program 406, and control data 
instructing the end of the program operation. 
[0064] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates tiie generation of the statistical data sampling 
program 406 (YES in step 803), the statistical data sam- 
pling program generatir^ctivating (restarting) means 

405 generates the statistical data sampling program 

406 on tiie basis of the evaluation ot^ject data group 204 
in the evaluation object data group generating means 
101 and necessary statistical programs in tiie statistical 
program library 303 of the statistical program Itorary 
generating means 102 (step 804). The statistical data 
sarrpling program generating/activating (restarting) 
means 405 activates the generated statistical data sam- 
pling program 406 (step 806), and the flow returns to 
step 802 to wait for the reception of control data from 
the statistical data sampling program operation monitor- 
ing means 403. 

[0065] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates program activation (restart) (YES in step 805). the 



statistical data sampling program generating/activating 
(restarting) means 405 activates or restarts ttie statisti- 
cal data sampling program 406 (step 806), and the flow 
returns to step 802 to wart for the reception of control 
5 data from the statistical data sampling program opera- 
tion monitoring means 403. 

[0066] If the control data from tiie statistical data sam- 
pling program operation monitoring means 403 indi- 
cates the end of the program operation (YES in step 

10 807). ttie statistical data sanpling program generat- 
ingMctivating (restarting) means 405 performs neces- 
sary end processes and ends itself (step 808). 
[0067] Refem'ng to Fig. 9. tiie statistical data sampling 
program intenupting/ending means 404 starts operat- 

75 Ing (step 901) and executes operations in steps 902 to 
908. Rrst, the statistical data sampling program inter- 
rupting/ending means 404 waits for the reception of 
control data from tiie statistical data sampling program 
operation monitoring means 403 (step 902). If the con- 

20 trol data is detected, the statistical data sampling pro- 
gram interrif>ting/ending means 404 checks the 
contents of control indicated by the control data (steps 
903 and 905). The control data transnrtitted from the sta- 
tistical data sampling program operation monitoring 

2S means 403 is one of control data instructing ttie inter- 
ruption of the statistical data sampling program 406 and 
corrtrol data instructing the end of the program opera- 
tion. 

[0068] If the control data from the statistical data sam- 

30 pling program operation monitoring means 403 indi- 
cates the inten-uption of the statistical data sampling 
program 406 (YES in step 903). the statistical data sam- 
pling program interrupting/encfing means 404 edits data 
sampled and held up to the point in an internal memory 

55 t^ tiie statistical data sampling program 406 into the 
form of intermediate data storaUe in the statistical result 
storage means 106, stores ttie intermediate data In ttie 
statistical result storage means 106, and, if necessary, 
displays various messages to tiie operator (step 904). 

40 Alsa the statistical data sampling program interrupt- 
ing/ending means 404 issues control data instructing 
ttie interruption to tiie statistical data sampling program 
406 (step 907). TTie flow then returns to step 902 to wait 
for the reception of control date from the statistical data 

45 sampling program operation monitoring means 403. 
[0069] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates the end of ttie program operation (YES in step 
905). ttie stetistical data sampling program intenrupt- 

50 ing/ending means 404 performs end processes, ag.. 
issues control date instructing the program end to ttie 
statistical data sampling program 406 (step 906) and 
ends itself (step 908). 

[0070] Referring to Rg. 10, ttie statistical date sam- 
55 pling program 406 starte operating after being gener- 
ated and activated by the statistical date sampling 

program generating/activating (restarting) means 405 
(step A01), and executes operations in steps A02 to 
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A09. 

[0071 ] Rrst. the statistical data sanpling program 406 
detects control data reception (step A02). If the statisti- 
cal data sampling program 406 detects control data 
from the statistical data sampling program interrupt- 
ing/ending means 404 witNn a predetermined time in 
step A02 and the detected data indicates program Inter- 
ruption or end (steps A03 or AOS) . the flow advances to 
step A04 or A06. respectively. If the statistical data sam- 
pling program 406 detects control data instructing acti- 
vation (restart) from the statistical data sampling 
program generating/activating (restarting) means 405 
or does not detect anything, the flow advances to step 
A07. 

[0072] In step A07. the statistical data sampling pro- 
gram 406 generates evaluation data. The statistical 
data sampling program 406 executes an equation 
object program t>y using this evaluation data (step AOS). 
The statistical data sampling program 406 collects sta* 
tistical data, temporarily stores the collected data in the 
intemal memory, and then stores the data in the statisti- 
cal result storage means 106 at a predetennined timing 
(step A09). That is» a statistical program incorporated as 
a part of the statistical data sampling program gener- 
ates the evaluation data and collects and stores the sta- 
tistical data. The evaluation data generated by this 
statistical program is passed on to an evaluation object 
program incorpaated as a part of the statistical data 
sampling program, thereby generating output data. The 
statistical program calculates statistical data from the 
output data and evaluation data. If a plurality of evalua- 
tion items are set the statistical data sampling program 
406 samples statistical data in steps AO? to A09 in tiie 
evaluation item order designated by tiie evaluation con- 
ditions. Whenever a predetermined amount of statistical 
data is sampled for each evaluation item, the flow once 
returns to the control data reception detection in step 
A02. If no control data is detected within the predeter- 
mined time in step A02; the statistical data sampling 
program 406 executes steps A07 to AOS to continue tiie 
sampling of remaining statistical data. 
[0073] If tiie control data detected in step A02 indi- 
cates the interruption of the statistical data sampling 
program (YES in step A03), the statistical data sanqsling 
program 406 edits program restart information, neces- 
sary to restart a program for an evaluation item proc- 
essed up to the point in steps A07 to A09. into the fomi 
of intennediate data storage in tiie statistical result stor- 
age means 106 (step A04). and tiie flow retumsto the 
control data reception detection in step A02. If no con- 
trol data is detected wittiin the predetermined time in 
step A02 and any untntenrupted evaluation items still 
exist, the statistical data sampling program 406 exe- 
cutes steps A07 to A09 for the next evaluation item. If ail 
evaluation items are interrupted, the statistical data 
sampling program 406 keeps waiting for control data 
directing the restart of the program operation. If tiie con- 
trol data is detected, tiie flow advances to step A07, and 



tiie statistical data sampling program 406 re^arts the 
processing lor en evaluation item interrupted earliest 
from tiie timing of the interruption. 
[0074] If tiie control data detected in step A02 indi- 
5 cates end (YES in step AOS), tiie statistical data sam- 
pling program 406 performs necessary end processes, 
ag., informs the statistical data sampling program oper- 
ation monitoring means 403 of tiie end, and ends itself 
(step A06). 

10 [0075] Referring back to Fig. 5. the statistical result 
edit/output means 105 comprises a numerical process- 
ing means 503. a table form numerical data edit/output 
means 505, and a multi-dimensional graph edit^output 
means 506. 

75 [0076] The table form numerical data edit/output 
means 505 edits tiie statistical data staed In the statis- 
. tical result storage means 106. i.e.. tiie statistical data 
Indicating the correlations between individual bUts of 
input and output data of an encryption program to be 

20 evaluated, into the form of a table and outputs the tatHe 
to a display device or a printer. 
[0077] The multi-dimensional graph edit/output means 
506 edits the statistical data stored in the statistical 
result storage means 106 into the form of a two- or 

2S tiiree-dimensional graph and outputs the graph to tiie 
display device or printer. 

[0078] The numerical processing means 503 controls 
tiie table form numerical data edit^oulput means 505 
and the multi-dimensional graph edit/output means 506 

30 In accordance with control data from tiie statistical eval- 
uation system control means 103. The numerical 
processing means 503 also performs numerical 
processing for tiie statistical data stored in tiie statistical 
result storage means 106 to calculate basic statistical 

35 anxjunls such as a mean, maxinuim, minimum, vari- 
ance, and standard deviation. These calculated basic 
statistical amounts are also output togetiier with tables 
and tiie like. 

[0079] The operation of the encryption strength eval- 
40 uation support apparatus according to this embodiment 
will be described in detail bekyw by taking a practical 
enayption program as an example. Note tiiat the oper- 
ation will be desaibed in tiie following order. 

45 (1) Preparation 

(a) Preparation of statistical program library 

(b) Preparation of evaluation object data group 

so (2) Sampling of statistical data 

(a) Generation and activation of statistical data 
sampling program 

(b) Interruption of statistical data sampling pro- 
55 gram 

(c) Restart of statistical data sampling program 

(3) Output of statistical data 
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(4) End 
(1) Preparation 

[0080] To evaluate enayption strength, it is necessary 
to prepare the evaluation object data group 204 contain- 
ing an evaluation object program and the like and the 
statistical program library 303 containing necessary sta- 
tistical programs. If these data group and library are 
already prepared, this step can be omitted. 

(a) Preparation of statistical program library 

[0081 ] If no necessary statistical programs exist in the 
statistical program library 303, the evaluation operator 
activates the statistical program llt)rary generating 
means 301 . Under the environment provided by the sta- 
tistical program library generating means 301 , the oper- 
ator forms desired statistical programs by using the 
basic calculation functions such as addition, subtrac- 
tion, logical operations, and mean calculations in the 
basic function lit>Fary 302, and adds the formed pro- 
grams to the statistical program library 303. In the fol- 
lowing explanation, it is assumed that statistical 
programs for bit balance, output bit relation, input bit- 
output bit relation, and avalanche are formed and stored 
in the statistical program library 303. 

(b) Preparation of evaluation object data 

[0062] An evaluation object program is formed by 
using the evaluation ok)ject program forming means 
201. An interfece between the evaluation object pro- 
gram and the statistical progrants is set by using the 
interface function setting means 202. Evaluation condi- 
tions are set by using the evaluation condition setting 
nfieans203. 

[0083] Fig. 11 shoiMS an evaluation object program 
fbrmed by using Microsoft Visual 4.2. This evalua- 
tion ot)ject program describes an encryption algorithm 
which exdusfve-ORs text and a masterkey to form a 
cipher. 

[0084] Ftg. 12 shows evaluation conditions fomried by 
using Microsoft Visual C++ 4.2. Refenring to Rg. 12. 
four items of avalanche, bit fc>alance, input btt-oulput bit 
relation, and output bit relation are designated, in the 
form of declaration of a common external function, as 
evaluation items to be sampled. Subsequently, the fol- 
lowing Items are designated in the fbnn of external var- 
iable declaration: a key random number seed, input 
data random number seed, key bit length. Input data 
block bit length, output data block bit length, key change 
count indicating the count of input data by which the key 
is changed, data change count indicating the count of 
changes of input data for one k^,. keytxjard input moni- 
toring inten/al indicating the interval of keyboard Input 
nK)nitoring in terms of count of calculations, and auto- 
matic save interval indicating the interval of save of a 



calculation result into the statistical result storage 
means 106 in terms of count of calculations. In addition, 
an evaluation object program is designated in the form 
of external function declaration. 

5 [0085] Rg. 13 shows settings of interlace functions, 
formed by using Miaosoft Visual Of + 4.2. between the 
evaluation object programs and the statistical programs. 
Refenring to Rg. 13, a total of four functions, i.e., ava- 
lancheO;. iorelatlonQ;, relationQ;, and balanceQ:. are 

10 descrft^ed as statistical evaluation main functions. All of 
these functions are statistical programs and stored in 
the statistical program library 303. These statistical 
evaluation main functions are executed in order of 
description. Each statistical evaluation main function is 

15 set in the key and data pass-on areas designated by the 
comnrwn external function shown in Rg. 12 k>y generat- 
ing tiie key and the input data by using the key random 
number seed and the input d^ta random number seed 
designated by tiie external variable declaration shown 

20 in Rg. 1 2. The bit lengths of the generated key and input 
data correspond to tiie key bit length and the input data 
block bit length shown In Rg. 12. Also, key and input 
data to be generated are changed in accordance with 
the key change count and the data change count shown 

25 InRg. 12. 

[0086] Other functions desaibed in the interface 
shown in Rg. 13 are a function of receiving a key from 
ttie statistical evaluation function and passing on tiie 
key to the evaluation object program, a function of 

30 receiving and saving input data from the statistical eval- 
uation function, calling the evaluation object program, 
and obtaining output data from the program, and a func- 
tion of saving tiie obtained output data. On tiie basis of 
these saved input and output data, the statistical evaiu- 

35 ation function calculates statistical data and finally out- 
puts the calculated data to the statistical result storage 
means 106. 

(2) Sampling of statistical data 

40 

(a) Generation and activation of statistical data sam- 
pling program 

[0087] When the operator instructs sampling of statis- 
ts tical data, the statistical evaluation system control 
means 103 detects the instruction (step 603 in Rg. 6) 
and sends control data instructing data sampling start to 
tiie statistical data sampling program executing means 
104 (step 604). 

so [Q0B8] Tlie statistiGal data sampling program opera- 
tion nK>nftoring means 403 of the statistical data sam- 
pling program executing means 104 detects the control 
data directing data sampling start (step 703 in Rg. 7). 
Since the statistical data sampling program 406 has not 

55 been formed yet. the statistical data sampling program 
operation monitoring means 403 issues control data 
directing program generation to the statistical data sam- 
pling program generating/activating (restarting) means 
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405 (step 704). 

[0089] The statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the control 
data instructing program generation (step 803 in Fig. 8). 
The statistical data sampling program generating/acti- s 
vating (r^tarting) means 405 receives the evaluation 
object data group 204 prepared In the evaluation ok^ect 
data group generating means 101 and necessary pro- 
gran^ from the statistical program library 303 prepared 
In the statistical program library generating means 102. w 
and generates tiie statistical data sampling program 

406 which performs ttie operation as shown in Rg. 10 
(step 804). When this statistical data sampling program 
406 is generated, the evaluation object program as 
shown in Rg. 1 1 is linked to the interface functions as is 
shewn in Rg. 13 and to the statistical programs in the 
statistical program library 303. thereby generating one 
executable program. Then, tiie statistical data sampling ; 
program generatin^activating (restarting) means 405 
activates the generated statistical data sampling pro- 20 
gram 406 (step 806). 

[0090] The statistical data sampli ng program 406 tiius 
generated and activated generates evaluation data for a 
first evaluation Hem (step A07), executes the evaluation 
object program t}y using the generated evaluation data 2s 
as input data (step AOS), and collects and stores statis- 
tical data on the basis of the evaluation data and output 
data from the evaluation object program (step A09). In 
Rg. 13. the statistical evaluation main functions are 
described in the order of avalancheQ;. iorelationQ;. rela- so 
tionO;. and balanceQ;. Accordingly, the statistical data 
are collected and saved in tiie order of avalanche eval- 
uation data, input bit-output brt relation data, output bit 
relation data, and ktalance data. 

[0091] The data collection of each evaluation item is 35 
continuously performed each time the count of calcula- 
tions designated by ttie keyboard input nrmitor interval 
shewn in Rg. 12 is reached. Whenever the designated 
count of calculations is reached, the ftow once retums 
to the detection of conlrol data reception in step A02. If 40 
no interruption is designated within a predetermined 
time, the rest of the calculation is restarted. The col- 
lected statistical data of the indivMual evaluation items 
are finally stored In the statistical result storage means 
106 in units of evaluation items. 4s 

(b) Intenruption off statistical data sampling program 

[0092] The operator can interrupt processing for an 
evaluation item currentty being executed and start so 
processing for the next evaluation item by designating 
interruption of statistical data sampling. 
[0093] When the operator instructs sampling intenup- 
tion, the statistical evaluation system control means 103 
detects ttie insfaruction (step 603 in Rg. 6) and issues ss 
control data instructing data sampling end to the statis- 
tical data sampfing program executing means 104 (step 
604). 



[0094] The statistical data sanipling program opera- 
tion monitoring means 403 of ttie statistical data sam- 
pling program executing means 106 detects this control 
data Instructing data sampling end (step 705 In Rg. 7) 
and issues confol data instructing interruption of ttie 
program to the statistical data sampling program inter- 
mpti'ng/ending means 404 (step 706). 
[P095] The statistical data sampling program Interrupt- 
ing/ending means 404 detects the control data cfirecting 
program interruption (step 903 in Rg. 9). The statistical 
data sampling program interrupting/ending means 404 
edits data sampled and heM up to ttie point In ttie inter- 
nal memory into the fonm of intemnediate data storable 
in the statistical result storage means 106. stores ttie 
intermediate data in the ^tistical result storage means 
106. and, if necessary, displays various messages to 
ttie operator (step 904). After ttiat ttie statistical data 
sampling program interrupting/ending means 404 
issues control data directing tiie interruption to ttie sta- 
tistical data sampling program 406 (step 907). 
[0096] The statistical data sampling program 406 
detects the control data insbucting ttie Interruption (step 
A03 in Rg. 1 0), edits program restart Information neces- 
sary to restart ttie program next time into ttie fonn of 
intermediate data storable in ttie statistical result stor- 
age means 106. and stores the intermediate data (step 
A04). The ftow then returns to the detection of control 
data reception in step A02. If no control data is detected 
within a predetermined time in step A02. the statistical 
data sampling program 406 executes steps A07 to A09 
for tiie next evaluation item. 

(c) Restart of statistical data sampling program 

[0097] If processing for all evaluation items is inter- 
aipted. the operator can restart processing for an inter- 
ru|3ted evaluation item from ttie timing of interruption by 
instiucting the restart of statistical data sampling. 
[0098] When ttie operator instructs sampling restart, 
the statistical evaluation system control means 103 
detects ttie Instruction (step 603 in Rg. 6) and sends 
control data instixjcting data sampling start to tiie statis- 
tical data sampling program executing means 104 (step 
604). 

[0099] The statistical data sampling program opera- 
tion monitoring means 403 of the statistical data sam- 
pling program executing means 104 detects the control 
data instructing data sampling start (step 703 in Rg. 7) 
and Issues control data instructing program activation 
(restart) to tiie statistical data 8anr|>ling program gener- 
ating/activating (restarting) means 405 (step 704). 
[01 (K)] Th e statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the confroi 
data directing program activation (restart) (step 805 in 
Rg. 8) and issues oonti^ol data directing activation 
(restart) to the statistical data sampling program 406 
(step 806). 

[PIOI] The statistical data sampling program 406 
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detects the controi data directing activation (restart) 
(NO in step AOS of Rg. 10) and continues the operation 
by using program restart information stored in the statis> 
tical result storage means 106 at the timing of interrup- 
tion and necessary to restart the program next time. 5 
That is, the statistical data sanpling program 406 keeps 
generating evaluation data, executing the evaluation 
object program, and collecting and storing data (steps 
A07. A08. and A09). The et/aluation item restarted at 
that point is an ey/aiuation item intemipted earliest. w 
[0102] In this embodiment as described atx>ve, rt is 
possible to interrupt processing for an evaluation item 
cun'ently being executed and process the next equa- 
tion item. This function is convenient to interrupt 
processing for a certain ey/aiuation item and preferen- is 
tially process the next evaluation item, since collecting 
statistical data pertaining to one evaluation item takes a 
certain time. To make this function more practical, It is 
also possible to give the statistical data sampling pro- 
gram executing means 1 04 a function of calculating and 20 
displaying the cun-ent count and percentage of execu- 
tion, execution count/^ec, remaining time, and precficted 
value of tiie completion time, for an evaluation item cur- 
rentiy being executed. With this functkm, the evaluation 
operator can obtain a certain standard indicating 2S 
whether interruption is preferabia 
[0103] Fig. 1 4 shows the status of execution of a sta- 
tistical data sampling program displayed on the display 
device. Referring to Fig. 14, an operation is instructed 
from the keyt)oard, i.a, activation (restart) Is instructed so 
by inputting an encript command, and intenruption is 
designated by pressing the [ESC] key. Alsa when the 
operator presses ttie [SPACE] key, ttie cun-ent count 
and percentage of execution, execution count^sec, 
remaining time, and predicted value of the completion 35 
time are displayed for an evaluation item currentiy being 
executed. In Fig. 14, when the encript command is input 
an avalanche evaluation start message is displayed 
together with the present date and tima Since the 
[SPACE] k^ is pressed after that the current count 40 
(percentage) of eKecutk)n (execution count/lsec). 
remaining time, and predicted value of the completion 
time are displayed for the avalanche evaluation item 
currentiy being executed. Subsequentiy, the [ESC] key 
is pressed, so a message indk^ating that the avalanche 45 
evaluation is interrupted, the intermedate results are 
saved, and a process of evaluating the input bit-output 
bit relation is started is displayed. 

(3) Output of statistical data so 

[0104] When the operator designates a predeter- 
mined item such as an edit form and designates edit 
and output of statistical data, the statistteal evaluation 
system control means 103 detects this designation ss 
(step 605 in Fig. 6) and issues necessary control data to 
the statistical result edit/output means 105 (step 606). 
The nunrterical processing means 503 of tiie statistical 



result edit/output means 105 receives and analyzes the 
control data and performs necessary control. 
[01 05] For example, if the operator instructs to display 
tiie bask: statistical amounts and sampled data of a cer- 
tain evaluation item in the form of a talsle, tiie numerical 
processing means 503 reads out the statistical data of 
the evaluation item from the statistical result storage 
means 106. The numerical processing means 503 then 
calculates basis statistical amounts such as a mean, 
maximum, minimum, variance, and standard deviation 
and informs tiie table form numerical data edit/output 
means 505 of these calculated basic statistical anfK>unts 
and the readout statistical data. The table form numeri- 
cal data edit/output means 505 edts the Informed statis- 
tical data into the form of a predetermined table and 
outputs the table together with the informed basic statis- 
tical amounts to the display device or printer. For exam- 
ple, Miaosoft Excel 97 can be used to form a table. 
[0106] Rg. 15 shows a table edited and output by 
using Mrcrosoft Excel 97. In Rg. 15, a portion denoted 
by reference numeral 1501 is a table of statistical data 
Indicating the correlations between individual bits of 
input and output data of an encryption device to be eval- 
uated. This data is avalanche evaluation data. Numerals 
0, 1 , 2,..., described in the row and column directions of 
tiiis table indicate bits of one of input and output data 
and bits of the other data. A numerk:al value at each 
intersection indicates [count of inversion - count of non- 
inversion] of a specific output bit when a specific input 
bit is inverted. A portion denoted by reference numeral 
1502 indicates basic statistical amounts, i.e., a mean, 
maximum, minimum, variance, standard deviation and 
95% confidence rntenml are output. Note that "Value". 
"xSD". "deviation", and "widtfi" indicate tiie value, (value 
- mean) ^ a , deviatk}n ratio, and wkltii. respectively. In 
addition, the table descrit>es random number seeds of 
key and Input data, scheduled all data count, and fin- 
ished all data count. 

[01 07] In the table of avalanche evaluation data shown 
in Rg. 1 5, a large positive numerical value indk^ates that 
tiie con-esponding input and output bits have high con-e- 
lation, and a large negative value indicates that tiie cor- 
responding input bit does not contribute to scrambling 
tiie data, k>otii of whtoh means a bad property. If data 
scrambling Is uneven as in tills case, the algorithm may 
t>e decoded by attack using selective difference or the 
like; this algorithm is weak. On tiie other hand, a numer- 
ical value whose absolute value is siDall indicates that 
ttie probability of an output bit being inverted when ttie 
conresponding input bit is Inverted is ctose to 0.5. so ttie 
scrambling performance is high. Accordingly, ttie larger 
ttie ratio of numerical values with small at)solute values, 
ttie higher the encryption strength. Conventional statis- 
tical mettiods evaluate algorithms on tiie basis of basic 
statistical amounts. However, a mean value, for exam- 
ple, approaches 0 even if a large positive or negative 
numerical value exists, and tills may cause an evalua- 
tion enor. Additionally, the correlation between a spe- 
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cific input bit and a specific output bit cannot be 
checked, so the behavior of encryption conversion can- 
not be finely analyzed. In contrast table form display 
allows fine analysis of the behavior of encryption con- 
version and mak^ accurate evaliation feas&)la Fur^ 5 
thermore, different encryption algorithms can be easily 
compared by comparing tables of different evaluation 
object programs. This applies to evaluation items such 
as an input bit-output bit relatkm as well as to avalanche 
evaluation. 10 
[0108] in this embodiment, statistical data indicating 
the oon'elations between individual bits of input and out- 
put data of an encryptton device can also be edited and 
output in the form of a two- or three-dimensional graph. 
Examples of the two-dimensional graph are a line graph is 
and a contour graph, and an example of the three- 
dimensional graph is a 3D contour graph. The statis t i cal 
evaluatk)n system control means 103 displays, eg., a 
"draw graph" dialogue box as shown in Rg. 16 on the 
screen of the display device to altew easy designation of so 
the type of graph. Refemng to Rg. 16, five types of 
graphs, i.e., a line graph (series: row), line graph 
(series: column), contour graph, 3D contour graph, and 
3D contour graph (Inverted) are prepared. The operator 
can easily designate the type of graph to be edited by 25 
selecting the OK button. 

[01 09] The statistical evaluation system control means 
103 informs the statistical result edit/output means 105 
of data indicating the type of graph designated by an 
operator. When the type of graph to be edited is deslg- so 
nated for a certain evaluation item, the numerical 
processing means 105 reads out statistk»l data of the 
corresponding evaluation item and transfers the readout 
data to the multi-dimensional graph edit/output means 
506 while designating the type of graph. 35 
[0110] In accordance with the designated graph type, 
the multiKllmenstonal graph edit/6utput means 506 
draws a graph of statistical data on a new graph sheet 
of. e.g., Microsoft Excel 97 and outputs the graph to the 
display device or printer. 40 
[0111] Rgs. 17A to 17E show examples of different 
types of graphs. That is. Rgs. 17A, 17B. 17C. 17D. and 
17E show a 3D contour graph, 3D contour graph 
(inverted), contour graph, line graph (series: row), and 
line graph (series: column), respectively. 4s 
[01 1 2] The 3D corrtour graph shown in Rg. 1 7A draws 
the correlations between indivkiual bits of input and out- 
put data as ''mountains". "Valleys", and tiekis". In the 
case of avalanche evaluatk)n data, for example, the 
inputbitisptottedontheXaxiSktheoulputbitisptotted so 
on the Y axis, and "count of inverston - count of non- 
inver8k>n" is plotted on the Z axis. The graph is drawn 
such that the larger the value of [count of inversion • 
count of non-tnversk)n] in the positive direction the 
higher the "mountains", the larger the value in the neg- ss 
ative directk)n the deeper the \alleys". and the closer 
the value to 0 the closer the "mountains" and "valleys" to 
the "fields". Accordingly, a high mountain means that 



the corresponding iriput and output have a high congela- 
tion, and a deep valley means that the corirelatkm is 
extremely low. both of which wean a bad property. On 
the other hand, a f iekJ indicates that the probability of an 
output bit being inverted when an input bit is inverted is 
dose to 0.5. meaning a good property A 3D contour 
graph like this allcws the operator to intuitively, quickly, 
and thoroughly survey even details of the behavior of a 
whole encryption algorithm to be evaluated. The opera- 
tor can also easily compare different encryptk)n algo- 
rithms by comparing 3D contour graphs of a plurality of 
evaluation object programs. 

[01 13] The 3D contour graph (inverted) shown In Rg. 
1 7B is formed t>y inverting the mountains and valleys in 
the 3D contour graph shown in Rg. 17A. This graph 
allows the operator to observe the details of valleys that 
are difficult to see in a 3D contour graph. The contour 
graph shown In Rg. 1 70 shows the 3D contour graph in 
Rg. 17A when viewed in a direction (D in Rg. 17A. 
Refemng to Fig. 1 70, fields are drawn thinly, arxi moun- 
tains are drawn thickly Rg. 17D is a graph showing a 
given sectk>n of the 3D contour graph In Rg. 1 7A when 
viewed in a direction <§) in Pig. 17A. Rg. 17E is a graph 
showing a given sectk)n of the 3D contour graph in Rg. 
17A when viewed In a direction ® in Rg. 17A. Each 
graph helps observe the 3D contour graph in more 
detail. 

[0114] In this embodiment as described above, the 
correlations between individual bits of input and output 
data off an encryption device can be displayed as vari- 
ous graphs such as a 3D contour graph. Consequently, 
details of the behavior of encryption converston can be 
f'mely and extremely easily analyzed. This allows accu- 
rate evaluation feasible. 

(4) End 

[01 1 5] When the operator instructs end, the statistical 
evaluation system control means 103 detects this 
instruction (step 607 in Rg. 6). The statistical evaluation 
system control means 103 sends control data instruct- 
ing end of the program operatkNi to the statistical data 
sampling program executing means 104 and ends its 
own operation (step 608). 

[0116] The statistical data sampling program opera- 
tion nfK)nitoring means 403 of the statistical data sam- 
pling program executing means 106 detects the control 
data instructing end of the program operation (step 707 
in Rg. 7). and issues control data instructing end of the 
program operation to the statistical data sampling pro- 
gram Interrupting/ending means 404 and the statistical 
data sampling program generating/activating (restart- 
ing) means 405. If the statistical data sanpiing program 
406 issues infbrmation. the statistical data sampling 
program operation monitoring means 403 ends its own 
operation (step 708). 

[01 1 7] The statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the control 
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data directing end of the program operation (step 807 in 
Fig. 8) and ends its own operation (step 808). Also, the 
statisticaJ data sampling program interrupting/ending 
means 404 detects the control data cfirecting end of the 
program operation (step 905 in Fig. 9). issues control 5 
data directing the end to the statistical data sampling 
program 406 (step 906), and ends its own processing 
(step 908). 

[0118] The statistical data sampling program 406 
detects the control data instructing the end (YES in step 10 
AOS of Rg. 10), informs the statistical data sampling 
program operation monitoring means 403 of the end. 
and ends its own operation (step A06). 2. 
[01 1 9] Rg. 1 8 is a block cfiagram showing the an^nge- 
ment of another emk)odiment of the encryption strength 75 
evaluation support apparatus accading to tiie present 
invention. The encryption strength evaluation support 
apparatus of this embodiment comprises a computer 
main body 1801 including. e.g.. a centiBl processing 
unit and a memory, and a CRT 1802, keyboard 1803. 20 
nrxHise 1804. nugnetic disk drive 1805. and recording 
medium 1806 connected to this computer main body 
1801. The recording medium 1806 is a mechanical^ 3. 
readable recording medium such as a CD-ROM, mag- 
netooptical disK or semiconductor memory, and 2s 
records an encryption strengtti evaluation support pro- 
gram. The encryption strength e^luation support pro- 
gram recorded in the recording medium 1806 is loaded 
into the computer main body 1801 to control the opera- 
tk)n of the computer n^ain body 1801. In this way the 30 
encryption strength evaluation support program imple- 
ments an evaluation object data group generating 
means 101, a statistical program library generating 
means 102. a statistical evaluation system control 
means 1 03, a statistical data sampling program execut- 35 
ing means 104, and a statistical result edit/output 
means 105 shown In Rgs. 1 to 5 on the computer main 
body 1801. Note that a statistical result storage means 
106 shown in Rg. 1 is implemented by tiie magnetic 
disk drive 1805. 40 
[0120] The embodiments of the preserrt invention 
have been descrit>ed above. However, the present 
invention is not limited to the above embodiments, and 
various additions and changes of the invention are pos- 
sible. For example, if the encryption algorithm of an 45 
encryption device to be evaluated is unknown, it is also 
possible to cakxilate tiie correlation k>etween each bit of 
irput data and each bit of output data of the encryption 
device from data sequences of the input and output 
data. If this is the case^ an evaluation object data group so 
is fbrmed by the data sequences of the input and output 
data of the encryption devk:e. and each evaluation item 
data is sampled from these data sequences. 

4. 

Claims ss 

1 . An encryption sta'ength evaluation support appara- 
tus characterized by comprising: 



statistical data sarrpling program executing 
means for statistically obtaining correlations 
between individual bits of input and output data 
of an encryption devk:e to be evaluated; 
statistical result storage means for storing tiie 
bit correlations obtained by said statistical data 
sampling program executing means; and 
statistical result edit/butput means for editing 
and/or outputting the bit correlations stored in 
saki statistical result storage means in ttie form 
of a table or a two- or three-dimensional graph. 

An apparatus according to daim 1, characterized 
by further comprising evaluation object program 
forming means for forming an encryption program 
to be evaluated, 

wherein saki statistical data sarrpling program exe- 
cuting means statistically obtains con'elations 
between indivklual bits of input and output data of 
the evaluation object program fbrmed by said eval- 
uatfon object program forming means. 

An apparatus according to, claim 1, characterized 
by furttier comprising: 

statistical program library means for holding, 
for each predetermined evaluation item, a sta- 
tistical program for calculating data necessary 
to evaluate the evaluation Hem; ard 
evaluation object data group generating means 
having evaluation ot)ject program forming 
means for forming an enayption program to be 
evaluated, evaluation condition setting means 
for setting evaluation conditions, and interface 
functfon setting means for setting an interface 
between tiie evaluation object program formed 
by saki evaluation object program forming 
means and the statistical programs, said evalu- 
ation object data group generating mieans hold- 
ing an evaluation ot^ect data group including 
the formed evaluation object program and the 
set evaluatfon conditions arxi interiace. 
wherein saki statistical data sampling program 
executing means comprises statistical data 
sampling program generating/activating 
(restarting) means for generating a statistical 
data sampling program for statically ol>tain- 
ing con'elatioris between indivklual bits of input 
and output data of the evaluation object pro- 
gram from tiie evaluation object data group and 
the statistical programs in saki statistical pro- 
gram library means. 

An apparatus according to claim 3, characterized in 
ttiat saki statistical program library means com- 
prises a basic function library of basic functions 
such as addition, sUt>traction, and logical opera- 
tions, and statistical program library generating 
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means for generating a statistical program to be 
added to a statistical program Ibrary by using the 
basic functions of said basic function library. 

5. An apparatus according to any one of claims 1 to 4, s 
characterized in that said statistical data sampling 
program executing means comprises means for 
sequentially collecting statistical data for a plurality 

of evaluation Items. 

10 

6. An apparatus according to claim 5, characterized in 
that said statistical data sarrpling program execut- 
ing means has a function of interrupting processing 
for an evaluation item currently being executed and 
processing the next e^luation item In accordance is 
with an instruction from a user. 

7. An apparatus according to daim 6. characterized in 
that said statistical data sampling program execut- 
ing means has a function of restarting processing 20 
tor an Mluation item inten-upted in accordance 
with an instruction from a user. 

8. A mechanically readable recording medium record- 
ing an encryption strength evaluation support pro- 2S 
gram which allows a computer to function as: 

statistical data sampling program executing 
means for statistically obtaining correlations 
between individual bits of input and output data so 
of an enayption device to be evaluated; 
statistical result storage means for storing the 
bit correlations obtained t>y said statistical data 
sampling program executing means; and 
statistical result edit/output means for editing as 
and/or outputting the bit congelations stored in 
said statistical result storage means in the fbrm 
of a table or a two- or three^limensional graph. 
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FIG. 1 1 



/♦BICRYPTIONALGORrTHM SOURCE HLE*/ 
/♦EORMASTERKEYANDTEXriOFORMaPHER(32biisMo^ */ 
unsigned intmasterKey; 

void encript (unsigned int *test.uns^i»d int * cipher) 
{ 

*cipher = ♦text'^masterkey; 

1 
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*indude<oonioJ)> 

/*USEFH)EFINEDTYPENAME»/ 
typedef unsigned int (Alt; 
typedef unsigned char uchan 

/* COMMON EXTERNAL FUNCTKW */ 
v(Hdfl(eyBili(oonstuchar *); 
voidfDatBII((Gonstudiar *.uchar *); 
extern void avalanoe(void); 
extern void t)aiance(void); 
extern void iorelation(void); 
extern void relation(void); 

/* EXTERNAL VARIABIfOECLAI^ATION */ 

uintdKeySeed = 9705150; /* KEY RANDOM NUMBER SEED*/ 

uintdDatSeed = 9705151; /« INPUT DATA RANDOM NUMBER SEED */ 

irint dKeyBIt = 32; / * KEY BIT LENGTH */ 

uintdlnBit«32; /*»IPUT DATA BLOCK BITI£N6TH*/ 

uintdOutBit=32; /* OUTPUT DATA BLOCK BIT LENGTH */ 

uintdKeyCnt = 6; /* KEYCHANGECOUNT : CHANGE 2 *(dKeya!Cnt)TIMES */ 

ulntdDatCnts17; /*DATA CHANGE COUNT :CHANGE2'((iDatCnl)TIMESi^ ONE KEY*/ 

uintdKbCnt^ 12; /♦KEYBOARDINPUrMONITORINGINTERVALr 

MONITOR WHENEVERCALCULATKM IS PERF0RMB)2'((l(bCnl) TIMES */ 
uintdSavCnt=31: /*AUTOMATICSAVEINTERVAL:> 

SAVEWHENEVER CALCULATION IS PERF0RMED2'{dSavCni} TIMES */ 

/♦EXTERNAL FUNCTION DECLARATION*/ 

extern void encript(unsigned int * , unsigned int *); 
extern intl(^ 



1/6/2007, EAST Version: 2.0.3.0 



EP0932 272A2 



FIG. 13 



/*♦»»♦♦»♦♦»»**** 

♦maInO STATISTICAL EVALUATION MAIN FUNCTION 

void main(vojd) 
{ 

/♦CALLSTATISnCAL EVALUATION FUNCTION */ 

avalanche( );/ * EXECUTE AVALANCHE EVALUATION 

loreiatlon( )/* EXECUTE INPUT BIT-OUTPUT BIT RELATION EVALUATION 

relatione );/* EXECUTE OUTPUT BIT RELATION EVALUATION 

b3lance( )✓* EXECUTE BALANCE EVALUATION 

} 

*fKeyBI)(() RECeVE AND PROCESS KEY 

IHIft***************/ 

void fKeyBlk(const uchar * it^) 
{ 

masteitey = inkeyI0]«24 1 inltey (11«16 I inl«y(21 «8 I inkey (31; 
} 

/ifi^^t ************* *********** 
* fOmi ) RECEIVE DATA AND FORM EVALUATION OBJECT DATA 
t***************************/ 

void f DatBlk(const uchar * indat uchar * outdat) 
{ 

uint text, cipher;/ *DEHNE INPUT/OUTPUT WORK VARIABLE*/ 

/♦COPY CONTENTSOFifidalllTO INPUT WORK VARIABLE */ 

text » Indat [0] «24 I indat [1]«16 I indat 12] «8 I indat [3] ; 

/♦CALL EVALUATK)N OBJECT ♦/ 
encript (&texL &cipher); 

/♦COPYOUTPUTRESULTSTOouldatl] ♦/ 
outdat [0] = cipher»24; 
outdatl1J=cipher»16; 
outdat [2] =cipher»8; 
outdat [3]= cipher; 

} 
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FIG. 14 



B:¥Temp>encn)l 

Avalanche(V4.0) test stait! Fri Aug 08 1 4:4628 1997 
Avalanche(V4.0)Fri Aug 08 14:46:37 1997 

count « 2* 14.322(0.24%. 2276fps) • > (+1«1:171 Fri Aug 08 15:4754 1997 

SAVE: ava.sav RESULT: ava_last_xls 

Input/Output bit Relation (V4.0) test starti Fri Aug 08 14:46:43 1997 



B:¥Temp>encripi 

Avalanclie(V4.0) test starti Fri Aug 08 14:47:40 1997 
RESUME: ava.sav 
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FIG. 16 
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FIG. 17B 
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